All-path reachability proofs (APRProof) are slow: at every step the symbolic engine must search for applicable rules and branch over them through the SMT solver.
This proposal splits the work into two independently useful pieces:
- Proof Checker — a trusted component that, given an
APRProof, force-applies the rule on each edge (no search, no branching) and checks coverage.
It needs no exploration and already accelerates re-validating an existing proof (e.g. a cached proof after a semantics change).
- Concrete Explorer — a new component that builds such proofs: run a concrete seed on the LLVM backend, take its rule trace as a one-path certificate, and let the Checker validate it while computing remainders; each remainder yields a new seed down a different path, until none is left.
Concrete execution is an untrusted, pluggable oracle that only decides which rule to apply; all soundness lives in the Checker.
All-path reachability proofs (
APRProof) are slow: at every step the symbolic engine must search for applicable rules and branch over them through the SMT solver.This proposal splits the work into two independently useful pieces:
APRProof, force-applies the rule on each edge (no search, no branching) and checks coverage.It needs no exploration and already accelerates re-validating an existing proof (e.g. a cached proof after a semantics change).
Concrete execution is an untrusted, pluggable oracle that only decides which rule to apply; all soundness lives in the Checker.